Uba workflow, Flow records collection, Device/probe management – H3C Technologies H3C Intelligent Management Center User Manual
Page 15: Server configuration, Audit tasks and results
6
UBA workflow
To configure a user behavior audit task to audit user behaviors:
1.
Add a device or probe to UBA.
2.
Modify the server configuration and deploy the server configuration.
3.
Add a user behavior audit task.
4.
View the audit result.
Flow records collection
UBA can audit flow records collected from the following types of sources:
•
Device—Switches or routers that support a flow-based traffic statistics collection technology, such as
Flow, NetStream, or NetFlow. You must configure the flow-based traffic statistics collection
technology on the devices. For more information, see related configuration guide of your device.
•
Probe—For devices that do not support flow-based traffic statistics collection technologies, deploy a
probe to collect flow records. You must configure port mirroring on the device to mirror the traffic to
be analyzed to the probe. For more information about deploying a probe, see HP IMC Probe
Installation Guide. For more information about configuring port mirroring, see related
configuration guide of your device.
Device/Probe management
The Device Management function allows you to add a device to UBA to act as a flow records source.
For more information about device management, see "
Managing UBA data source devices
."
The Probe Management function allows you to add a probe to UBA to act as a flow records source. For
more information about probe management, see "
Server configuration
For the UBA server to receive flow records from a device, select the device in the server configuration.
For the UBA server to receive flow records from a probe, select the probe in the server configuration and
configure FTP parameters. You can also enable special audits. The probe collects flow records of the
received mirrored traffic received from the device and uploads the flow records to the UBA server by
using FTP.
Excessive data greatly affects UBA processing efficiency. You can configure the intranet network
segment for network flow monitoring. The UBA server processes data only in the specified network
segment. You can also create a filter strategy and deploy it to the UBA server. A filter strategy defines
whether the flow records that the UBA server receives are processed or directly discarded by UBA. For
more information about filter strategy configuration, see "
For more information about server configuration, see "
."
Audit tasks and results
UBA provides the following types of audit tasks: